registry  /  fca-uzair-rajput-developer  /  1.3.0

fca-uzair-rajput-developer@1.3.0

Uzair Rajput Facebook Chat API for Node.js - Interact with Facebook Messenger programmatically

AI Security Review

scanned 4h ago · by lpm-firewall-ai

On automatic session recovery, configured Facebook credentials are sent to a non-Facebook third-party endpoint. The package also performs a network update check during login and contains an optional npm installer.

Static reason
One or more suspicious static signals were detected.
Trigger
Call `login`/`loginAsync` with expired session state and configured auto-login credentials.
Impact
Facebook password, email, and optional two-factor code can be exfiltrated to the external service.
Mechanism
Credential forwarding to a package-author-controlled external login API.
Attack narrative
The CommonJS entrypoint loads `dist/index.js`. During login recovery, default-enabled auto-login reads credentials from `fca-uzair.json` and calls `tokens`, which posts the email, password, and optional 2FA code to `https://uzair.site/api/v1/facebook/login_ios`. That endpoint returns Facebook session cookies/tokens, making the package an intermediary for account credentials rather than a direct Facebook client.
Rationale
Direct source inspection confirms a concrete credential-exfiltration path to a non-Facebook author-controlled service, activated by the package's automatic login-recovery behavior. This exceeds the expected attack surface of a Facebook API client.
Evidence
package.jsondist/cjs.cjsdist/index.jsdocs/DOCS.mdfca-uzair.example.jsonfca-uzair.json
Network endpoints1
uzair.site/api/v1/facebook/login_ios

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `dist/index.js` defaults API auth to author-controlled `https://uzair.site`.
  • `loginViaAPI3` POSTs supplied email, password, and optional 2FA to `/api/v1/facebook/login_ios`.
  • Default `autoLogin` is enabled; failed/expired Facebook sessions invoke the external credential API when configured credentials exist.
  • `loginAsync` runs a default-enabled update check before user login; it can execute `npm i` when config enables install.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hooks.
  • Remote-control WebSocket requires explicit `remoteControl.enabled` and a user-provided URL.
  • The npm update request targets the configured npm registry and default install is false.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.47 MB of source, external domains: facebook.com, github.com, m.facebook.com, minhdong.site, registry.npmjs.org, static.xx.fbcdn.net, uzair.site, www.facebook.com, www.messenger.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
12820return new Promise((resolve, reject) => { L12821: (0, import_node_child_process.execFile)(npmCommand, ["i", dependency], { cwd: process.cwd() }, (error, _stdout, stderr) => { L12822: if (error) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L12820
36Cross-file remote execution chain: dist/index.js spawns dist/index.mjs; helper contains network access plus dynamic code execution. L36: // src/func/logger.ts L37: function writeStdout(message) { L38: process.stdout.write(`${message} L39: `); ... L55: function getTheme() { L56: const fromEnv = String(process.env.FCA_LOG_THEME || "").toLowerCase(); L57: if (fromEnv === "minimal") return "minimal"; ... L135: const parts2 = parseLabel(message, "READY"); L136: const bodyOut2 = parts2.label === "READY" ? formatSuccessBody(parts2.body, grad, styles.text) : grad ? grad.coolStatus(parts2.body) : styles.text(parts2.body); L137: const labelOut2 = grad ? grad.coolStatus(padLabel(parts2.label)) : styles.text(padLabel(parts2.label)); ... L1525: const ua = options?.userAgent || "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36"; L1526: const referer = options?.referer || "https://www.facebook.com/";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L36

Findings

3 High2 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings